How Not to Click "forgot password" Anymore, Once and for All.

People, Process, Technology.

As a security professional at work, one of the most concerning areas is password security. In the real world, hackers are not like in most movies or TV shows (except Mr. Robot). Hackers try not to penetrate a system with complex malware or tools. Instead, hackers often try to get in by compromising the weakest link - people. I will tell you step-by-step in this article to be more secured in account management.

"Pwned"

If your wallet is stolen, you know it the time you put your hand in your pocket. But in the digital world, what is stolen is still there. Therefore, it is a good start, to begin with how to check if your identity is stolen.

Let talk about what is "Pwned." According to Merriam-webster:

Pwn is a lot like own, then, in the sense of 1b, "to have power or mastery over (someone)." (This is, of course, no coincidence. The word likely has its origin in a mistyping of own, what with the p and o being so close to one another on the QWERTY keyboard and all.)

In Cybersecurity, being pwned means gaining unauthorized access to your account. There are several ways to check if there are any related breaches.

1# Have I been pwned

HIBP was created by Troy Hunt. It is a free and public website to check if your email account is a victim of recent hacks or compromised recently. It is also the most mentioned website for the general public.

Screen capture of HIBP | copyright by the author

2# Firefox Monitor

Find out if you've been part of a data breach.

This is another free breach monitoring service offered by Firefox. An email notification service for breach monitoring is also available for us to subscribe to. I used this one personally. You can find out the recent breaches from other tabs, including what information is possibly breached. Firefox Monitor also shares data with HIBP.

3# Google Password Checkup extension

Password Checkup extension

If you are a Chrome user, another option for you is the Password Checkup extension from Google. However, Google decided to end the support of this extension after 31st August 2020. As a result, you can no longer use this extension in other browsers except Chrome.

Instead, they are merging this function into Chrome. The only difference is you required to have a google account and log in to the browser. Google also provides suspicious account suggestions via email, and you can take action with several mouse clicks.

What should you do if you find any related breaches from your accounts? I suggest you change your login information immediately to stay safe. For sure, be aware of doing this using a trusted network and machine.

The Defense

I choose not to discuss the attack techniques here separately rather focus on how to protect from those attacks with the things I am going to talk about. The first one is about building an easy to remember and adequately secure to resist password cracking.

Zen's Password Rules

According to SplashData, the most common passwords are:

1. 123456
2. 123456789
3. qwerty
4. password
5. 1234567
6. 12345678
7. 12345
8. iloveyou
9. 111111
10. 123123

Other common passwords including:

• Nothing
• Secret
• Password1
• Admin

If you use one of the above, you should consider changing it right after seeing my password rules. But first, it is better to understand what kind of password is more susceptible to be cracked.

Hackers use password cracking software with a giant password database to try passwords. From the example above, using a single word or numbers are not as good as those, and all their variants would be included in the "password table" of hackers.

Most popular websites include a password policy that forces the user to create a password with a certain level of complexity such as special character, Upper and Lower case, and alphanumeric in nature. In my security awareness training for customers, I always suggest having the following.

1# Create a "Seed" for passwords

Computer systems use the seed to generate random numbers. What is a "seed" for you? It is the start point of creating all your passwords. You can use your company email and do some transformation or making one from your name. Apply rule 1# to it and keep in secret.

Seed should be related to you that helps you remember but at the same time complex enough to prevent guessing.

2# Letters Transformation

If you are like me, is a fan of the TV show - Mr. Robot, you would probably notice this from each episode's official titles.

Mr. Robot (TV Series 2015-2019) - IMDb

Created by Sam Esmail. With Rami Malek, Christian Slater, Carly Chaikin, Martin Wallström. Elliot, a brilliant but…www.imdb.com

"eps1.0_hellofriend.mov"

"eps1.1_ones-and-zer0es.mpeg"

"eps1.2_d3bug.mkv"

"eps1.3_da3m0ns.mp4"

"eps1.4_3xpl0its.wmv"

"eps1.5_br4ve-trave1er.asf"

Hackers use this kind of letter transformation to bypass some of the past detections or keyword blocking techniques. However, they are less effective when AI is introduced in the scenarios. Still, it is beneficial for creating a complex password that could easily remember but hard to guess.

As you can see, we can use the following examples:

• "0" as o or O, e.g. zero → zer0
• "1" as I or l, e.g., traveler → trave1er
• "4" as A, e.g., brave → br4ve
• "@" as a
• "3" as E
• "2" as Z

You can use your 0wn tr@nsl4tion, but the rule is t0 k3ep 1t consistent. Using this rule, you can fulfill the most complex password policy by letter transformation.

3# Make it rememberable

As the computer is part of life, we integrate with different systems and websites, no matter the job or leisure, which requires us to log in. While it is frustrating to click the forgot password button every time you go back to a website, you seldom use it or are just forgetful.

It is also a bad idea to use ONE PASSWORD for all your accounts (Please do not do that. If you do, change it now!). The second rule helps you to remember. That is to include the URL in your password. Yes, you read it correctly. I am asking you to consider including the website's URL in your password.

Some companies require users to change their password every 30 days or so. It is a good practice and part of some security standards. It would be a challenge if the user cannot remember what they type in. In that case, I suggest you can consider adding the date during the change in your new password.

4# Combining 1# to 3# to come up with a great password

So now you know how to transform letters into complex password elements. It is also easier to have the URL or date in your password to help you remember where and when you type it. The rule uses a "seed" and combines it with a variable related to when or where your account belongs.

In the following, I am now going to give you a walkthrough example.

Let say Mr. Robot wants to join Netflix. When creating an account, he can first transform his name "MrRobot" into "MrR0bo4" (use it as seed) and "Netflix" into "N3tf1ix" (variable). As a result, a good password option could be:

• MrR0bo4@N3tf1ix
• MRatN3tf1ix
• MRatNetfl1x
• [email protected]

Can you follow it? If he wants to join amazon.com also, then the possible password combinations could be :

• [email protected]
• [email protected]
• MrR0bot@[email protected]

The key is keeping the seed but changing the remaining part. Remember NOT to tell anyone about what remain unchanged. The seed is the ultimate secret and cannot be written down or tell anyone.

After some practice of thinking, you can use it anywhere. But before start changing passwords from different websites, you can test your password strength using the following portal:

Password Strength Test - My1Login

If you're reading this section, then good - the quickest way to get hacked online is to be too trusting or assume…www.my1login.com.

The test result of password "MrR0bot@[email protected]" | copyright by the authorAt the end of this article, let me share a video about Identity Theft by an expert.

Takeaways

Thank you for reading. This is a new trial for me to write more about my second interest - Security other than biohacking.

From this article, I hope you can get some ideas about coming up with a good password that is easy to remember simultaneously. If you find this useful, please share with people who are struggling with password safety.

As summary,

First, please use the suggested resources to check if your account is breached.

• HIBP
• Firefox Monitor
• Google Chrome built-in account security functions

Moreover, to create a good password, please follow my Zen's password rules:

• Create a seed (Do not tell anyone)
• Letter Transformation
• Anchoring with URL or Date
• Generate (Practice) and test the strength

Next time I will write more about how to enhance the security of your online identity further.

Happy reading and strengthening account security.